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(Whereupon, the following morning trial proceedings 
were had on the 14th day of October, 2013, to wit:) 

THE COURT: We're on the record in Case No. 
CJ-2008-7969 . we're outside the presence of the jury. The 
court has marked as Court's Exhibit 6, the video clips from 
the deposition of Mr. ishii. And I have marked as Court's 
6 a, the entire deposition of Mr. ishii. 

Then it is my understanding, Mr. Baker, that you 
wanted to talk about something on the record. 

MR. BAKER: Yes, ma'am. Our first witness this 
morning would be a video deposition of Mr. Osawa, O-S-A-w-A. 
we have narrowed it down, your Honor, to two small sections 
of objections, I think I agreed to and have removed several 
of their objections. And we're at page 80, line 9, through 
81, line 16. 

THE COURT: This is Mr. Osawa, correct? 

MR. BAKER: Yes, ma'am. And we reversed colors on 
this one. Blue are our designations. And they have 
objected to this, and we talked about it Friday. As I 
understand, this section, their objection is this is a 
subsequent remedial measure. 

THE COURT: So why would this -- and your position 
is that is some sort of software reform that, some way that 
they were going to correct the software in these 
automobi1es? 

***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



4 


1 MR. CLARK: That's right, whether they were going 

2 to do it in 2007, 2 1/2 years after manufacture and a month 

3 after the crash. I think the evidence code is pretty clear 

4 tha if you are just offering to prove liability, subsequent 

5 remedial measures are inadmissible. I'm not sure what 

6 they're offering it for. 

7 THE COURT: And we're only talking about through 

8 line 16, so we would pick up about would anything needed to 

9 be done to improve the spaghetti-1ike status. 

10 MR. CLARK: I think we have a separate objection to 

11 that. 

12 MR. BAKER: There is a separate objection after 

13 that. 

14 THE COURT: What would keep this from being a 

15 subsequent remedial measure? 

16 MR. BAKER: Under the evidence code Section 2407, 

17 this type of evidence is admissible if use it to basically 

18 to rebut or impeach a position taken by the defendant, in 

19 this case, they have taken the position that you can't have 

20 a UA through software and that, two, there is absolutely 

21 nothing wrong with our software. 

22 MR. CLARK: I don't think either one of those is 

23 the position, in fact, the first one this testimony has 

24 nothing to do with because there is no connection to UA. 

25 And the second one -- 
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THE COURT: Wait. Then why would it be a 
subsequent remedial measure at all if there is no connection 
to the UA? 

MR. CLARK: For the second reason. And the second 
reason, he said we've taken the position there was nothing 
wrong with the software. And certainly, you know, we and 
the plaintiffs have a different characterization of it. 
However, it is true that we already had testimony come in in 
this case that Toyota was thinking about compliance with 
MISRA. Certainly, I would imagine, that they will argue 
that Toyota was thinking about compliance with MISRA later 
on because they thought they could make the software better. 
Tell me if I'm misconstruing your position, Mr. Baker. 

MR. BAKER: This exhibit that it's taking about at 
the very beginning, this is the English translation. Part 
of it, your Honor, is discussing the software revisions for 
the power train ECM. 

MR. CLARK: I think the key language in Section 
2407, your Honor, is the word if disputed. For anything 
other than impeachment, there needs to be a dispute about an 
issue for to come in -- for subsequent remedial measure to 
come in. And I don't think there is any dispute, we're not 
going to come in and say that we couldn't have done things 
differently, we will say the fact that we didn't do things 
differently makes no difference. 
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THE COURT: Let me ask: Does Toyota take the 
position that there isn't -- because when I allowed 
subsequent remedial measures, what comes to mind to me is 
the situations where a defendant takes a position there is 
nothing that could have been done to fix this situation, 
then later did something to fix the situation. 

is that at all an allegation here? I know you're 
saying they are saying there is no defect. 

MR. BAKER: what we heard from Mr. Lentz, and we 
heard from Mr. ishii is in terms of a UA, there is no way 
software could cause it because we don't have a problem with 
our software in that regard, in this document that he is 
talking about here, there is a specific discussion about 
changing all of the power train software in the ECU which we 
believe would be an impeachment of what they're saying that 
there is no problem. 

THE COURT: what is the purpose other than to show 
that there was some sort of liability or culpable conduct? 
Aren't you using it to refute their claim there is no 
culpable conduct? 

MR. BAKER: No, ma'am, we're using it to refute or 
impeach their position that their software is fine, that 
there is not a problem with it. They have disputed there is 
a problem with the software. 

MR. CLARK: Mr. Baker is sort of inflating two 
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different issues. 

THE COURT: under the "or" impeachment. Now I see 
the language. 

MR. CLARK: The issue that software can cause UA, 
this has nothing to do with. You can fix software for all 
kinds of purposes, and the testimony from Mr. ishii, that I 
don't think is going to be disputed by anyone, is that 
Toyota was thinking about MISRA compliance to make their 
software more readable not change the functionality of it. 

MR. BAKER: This flows, your Honor, into the next 
part, the next objection they will have. 

THE COURT: is this starting at line 17? 

MR. BAKER: Yes, ma'am. It goes through several 
pages. But it goes to the part of this document where they 
talk about their spaghetti-1ike status of their software. 

THE COURT: Okay. And what is your objection 
starting at line 17 and forward from there? 

MR. CLARK: The objections is really best seen on 
page 90, lines 9 through 16, or maybe lines 3 through 16, 
where he says they're not even talking about Denso, which 
means they're not talking about the engine ECU that is in 
our vehicle, because Denso is the one who made the engine 
ECU in our vehicle. So either they are talking about 
computers that are not at issue in this vehicle, or they are 
talking about computers in other vehicles, neither of which 
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is relevant. 

THE COURT: So you are saying this whole discussion 
about this exhibit isn't even the software that is at issue 
here that was created by Denso? 

MR. CLARK: This is exactly what we were talking 
about in the motion in limine. 

THE COURT: is that your position here that this 
isn't even Denso software being discussed in this exhibit. 

MR. CLARK: well, apparently not. That is what the 
testimony is. 

MR. BAKER: That is his interpretation of the 
document, your Honor. Just like you allowed witnesses to 
tell you what they thought the documents meant, our experts 
will say different. Because if you look at the language 
here, it clearly states our power train ECUs which is across 
the board. 

MR. CLARK: But the court ruled that your experts 
can't say that because they can't say what they think the 
documents mean. 

MR. ESDALE: They can say what it means to them. 

THE COURT: And that is what this gentleman is 
saying here, he says he doesn't think it has anything to do 
with Denso, and his interpretation involves something else? 

MR. BAKER: Yes, ma'am. 

THE COURT: Back to the first part of this, again. 
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1 Mr. Clark, are you saying that - - again, tell me that this 

2 does haven't anything to do with -- 

3 MR. CLARK: It doesn't have anything to do with the 

4 position that the software cannot cause UA, because there is 

5 no testimony that these changes that they're going to make 

6 in 2007 have anything to do with UA. The testimony from Mr. 

7 ishii is that the changes that were contemplated later, 

8 which would make the software more readable -- because, 

9 remember, NASA was frustrated with -- because they were 

10 having trouble reading the software. 

11 So this -- you remember there was some discussion 

12 about tire with an "i" versus tyre with a "y," that is the 

13 sort of thing, at least it is Toyota's position, that we're 

14 talking about, if they can show that some of these changes 

15 in 2007 were because -- 

16 THE COURT: How do I know from this document they 

17 were just talking about MISRA changes and not UA-type 

18 issues? How do I know your i nterpretati on of this document 

19 is correct that it is MISRA? 

20 MR. CLARK: I don't think -- I don't think you know 

21 it from this document, but, you know, we can go back to the 

22 fact it is plaintiffs' burden to prove admissibility, not 

23 mine. And if all they have is because I said so, it is 

24 about UA, and that is not enough. 

25 THE COURT: It is just open-ended. It could just 
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10 

as easily apply to UA as it could to MISRA. I am going to 
overrule both of those objections and allow this evidence 
in. For the record, specifically, the first portion of that 
that appears to be -- could be a subsequent remedial 
measure, I am allowing it in for the impeachment exception. 

Then is there another issue? 

MR. BAKER: Just the spaghetti reference. 

THE COURT: I will allow that in also. 

MR. BAKER: I think that is it, as far as I know, 
the objections. 

(whereupon, an offOthe-record discussion was had.) 

THE COURT: You gave me a tentative motion in 
limine order this morning. 

MR. BAKER: Yes, ma'am. Your Honor, as you will 
recall, there was an issue with an error that Mr. Barr made 
in the van Alfen case, and we filed a motion in limine about 
it. The van Alfen case was in the MDL and was the first 
bellwether case. And in that instance, Mr. Barr had been 
given some source code late and hadn't been given the proper 
tools to read it. As a result, he did not include some 
portion of it when he was looking at part of his analysis. 

It was brought up initially to Judge Selna, and he 
concluded that that error was at least in part attributable 
to the delay of Toyota producing it, which is the second 
order that I gave you, and was originally in our motion in 
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1 limine. Last week, Judge Selna issued this tentative order. 

2 THE COURT: Let me interrupt, was it in St. John 

3 that this error occurred? 

4 MR. BAKER: No, ma'am. It was van Alfen. 

5 THE COURT: And this is St. John court commenting? 

6 MR. BAKER: It is the van Alfen and St. John court. 

7 MR. CLARK: Same court. 

8 THE COURT: Okay. 

9 MR. BAKER: St. John is the second bellwether case 

10 to come up in the MDL. 

11 THE COURT: So this is Judge Selna? 

12 MR. BAKER: Yes, ma'am, on both orders I gave the 

13 court this morning. 

14 THE COURT: Sorry. I didn't realize the second 

15 order was there. 

16 MR. BAKER: That is the original order from van 

17 Alfen where he discusses it. 

18 MR. CLARK: I think it was attached to your 

19 motions. 

20 MR. BAKER: It was. At page 3 of that order, he 

21 discusses the fact that Toyota was partially to blame for 

22 the error Mr. Barr made. 

23 THE COURT: in the van Alfen, it is actually an 

24 order of the court, where as in the St. John it is 

25 tentative? 
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MR. BAKER: He had just issued that last week, so 
that is all we have. 

THE COURT: But the van Alfen was actually signed 
by the judge? 

MR. BAKER: Yes, ma'am. And that is what I have 
given you there. 

THE COURT: And so as a result of this, you would 
like me to reconsider my ruling with regard to Mr. Barr 
having -- where I said I would allow them to talk about his 
big mistake in the van Alfen case? 

MR. BAKER: Yes, ma'am, in light of the fact that 
Judge Selna in both van Alfen and St. John, who is the judge 
that oversaw this discovery process, and has abetter handle 
on exactly what happened. I know the parties have tried to 
communicate that to you. in looking at all the details that 
he is personally aware of, he has come to the conclusion 
that bringing it up would violate 403, being unduly 
burdensome and more prejudicial than probative and 
inflammatory. 

MR. CLARK: The problem, your Honor -- 

MR. BAKER: And I would just note, your Honor, in 
terms of this, as you describe it, it says tentative orders, 
the last page specifically instructs counsel to instruct all 
witnesses not to violate these orders. So I'm just guessing 
here that, and I'm assuming, it is tentative in the nature 
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that your rulings have been tentative until the evidence 
starts would be my read on it. 

MR. BIBB: Your Honor, I think the court's initial 
decision on this matter was correct. The background also is 
that in the St. John case Mr. Barr will not be permitted to 
discuss the so-called full throttle bug. Your Honor 
overruled us excluding that in this case. His work has 
built on his van Alfen work to his St. John work, and now to 
his Bookout work. 

And I think it is fair game to point out that he 
misread the code early on, made a number of opinions based 
on a misreading of the code. It is our position that he 
continued to misread the code, we will have Mr. Arora in 
here who will be testifying for Toyota about errors that Mr. 
Barr has made in reading the code or issues that he has 
made. 

So I think it is fair game for any expert to be 
able to challenge and to point out to the jury mistakes that 
they've made in their analysis which relates to their 
opinions in this case. And I'm not necessarily going to use 
-- Mr. Smith, who was here for argument, he likes to call it 
a big mistake -- I'm willing to go with Mr. Barr's words, 
which is he committed an error. 

THE COURT: It looks to me that what the judge is 
allowing is him to talk about there being an error, is the 
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issue here whether the surreply was going to come in, or 
whether they were going to get to use the -- it looks to me 
like he is saying you can talk about it being an error, but 
you can't talk about it. 

MR. BIBB: And that's what I plan to do. I will 
not call it the big mistake, like Mr. Smith does. But there 
was an error in reading the code, and I think it is fair to 
point out that he based his opinions on misunderstanding of 
the code. And if you misunderstood it then, he may be 
misunderstanding it now. 

THE COURT: Do you agree that what he was ruling on 
here is whether the sur-report was going to come in and 
whether they could use the word "error" versus "big 
mi stake?" 

MR. BAKER: I think in terms of the tentative 
order, this is related to what is going to happen at trial. 
From talking with plaintiffs' counsel involved in this case, 
and that's all I can relate to your Honor, is that he says 
the judge said the whole issue is out, they will not be 
allowed to talk about it. 

I think that why initially in this order he says 
typically you're allowed to ask an expert about reliability, 
but then he gets down here where he discusses the fact that 
because of the circumstances here it is not necessarily that 
he misread the code, because he didn't, he didn't read it. 
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He thought based on the limited amount of time he had it is 
was something that shouldn't be included. 

Once he read it, he realized that he made an error 
and put it back in. So it is not a reading, evaluating and 
making a mistake. He never had read it. Once he did, he 
corrected himself. That correction did not occur in this 
case. He had already done it, so the error didn't occur in 
this case. 

MR. BIBB: Didn't correct it until it was pointed 
out to him that he had made an error there, and they 
mi sinterpreted their own test data. Again, I think it is 
fair game to point out that there are errors with. I will 
not refer to it as a big mistake. 

MR. CLARK: The test data has nothing to do with 
this -- the test data is completely off the map, it has 
nothing to do with when Toyota did or did not produce 
things, in that respect, it is a separate issue from what 
is being ruled on here. It's -- the landscape is also a 
little bit different with the quote/unquote with the full 
throttle bug in because with the quote/unquote full throttle 
bug, what Mr. Barr has said is, I have read the code, and I 
believe it to say this but I haven't tested it. 

Now, the court has ruled that comes in, and that 
makes it a little bit more important in this case to be able 
to ask Mr. Barr about what happened the last time he did 
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that, read the code, did not test it, made an error, as 
opposed to in St. John where the full throttle bug, 
quote/unquote, is out. 

THE COURT: What about that point? 

MR. BAKER: Well, the throttle bug is out in St. 
John because of the timing issues. 

THE COURT: But his argument that if we will keep 
the full throttle bug, wouldn't it be -- and he is going to 
say he didn't test it, wouldn't it be relevant for the jury 
to hear that last time he didn't test something? 

MR. BAKER: I guess if that is his position, I 
guess it depends on whether I talk about it or not. 

THE COURT: Full throttle? 

MR. BAKER: Yes, ma'am. And I would also suggest 
that if your Honor has any concerns that you might try to 
call Judge Selna this morning. But also if the judge is 
inclined to allow them to talk about it, I will want to put 
up Judge Selna's order where he says it is partly because of 
Toyota's fault. 

THE COURT: And I would allow that with regard to 
the order. I would have to think about it with the one that 
says tentative on it. if I do allow it, I would allow Judge 
Selna's order to come in, maybe not as an exhibit. 

MR. BAKER: Right. 

MR. BIBB: I think it would be fair game for him to 
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say, Look, I got the stuff late. I think that is going to 
be his excuse. I don't know if you will bring it out on 
direct. 

MR. BAKER: I just want the judge to consider it 
before we get to that point. 

THE COURT: All right. Are we ready to start? 

MR. BAKER: I think we are ready, your Honor, 
(whereupon, the jury enters the courtroom.) 

THE COURT: welcome back, ladies and gentlemen, 
we're back on the record in Case No. CJ-2008-7969 . The 
members of the jury are present as well as counsel and their 
clients. 

Mr. Baker, you can call your next witness. 

MR. BAKER: Your Honor, it is another video 
deposition of Mr. Keiichi, K-E-I-I-C-H-I, Osawa, O-S-A-w-A. 

THE COURT: How long did you say you thought it 

was? 

MR. BAKER: Right at 40 minutes, your Honor, 
(whereupon, the video deposition of Mr. Osawa was 
played to the jury. Not on the record.) 

MR. BAKER: Your Honor, we have an issue coming up 
that we need to discuss. 

THE COURT: Please approach. 

(The following bench conference was had outside the 
hearing of the jury:) 
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18 

MR. CLARK: This -- that little bit is source code 
protected because it has task names in it. So it is going 
to require the courtroom to be cleared per the order. I 
think what we're going to do is just play it when have the 
courtroom cleared anyway for part of Mr. Barr's testimony. 

THE COURT: who besides the attorneys and experts? 
Are there people in there that will not be allowed to hear 
it? 

MR. CLARK: We have a few attorneys that can't hear 
it. we can do it separately. 

MR. BAKER: I thought you were going to clear it 
now so we can clear it now. 

MR. CLARK: Do you want to do it now? 

MR. BAKER: Yes. I will tell her to jump to that 

point. 

THE COURT: So I will just say that anybody in here 
that does not have the approval, source code access, to 
leave other than obviously the court recorder and myself. 

MR. BAKER: Do the parties have to leave? 

THE COURT: Anyone that doesn't have source code 
access I guess. 

MR. CLARK: That's fine. 

(within hearing of the jury:) 

THE COURT: Ladies and gentlemen of the jury, this 
next portion, it is a very brief portion of this video 
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testimony, has to do with source code, which is subject to a 
confidentiality agreement, with the exception of the 
jurors, anyone in the courtroom who has not been given 
clearance by myself to have access to the source code data, 
if you will please step outside. 

Counsel, who is going to run the machine for this 
little blurb? This should take less than three minutes, so 
you're welcome back in the courtroom after that. 

MR. CLARK: I hope it will take less than one 
minute, your Honor. 

THE COURT: Counsel, I'm assuming the young lady 
that has been playing this through saw it through the 
editing process anyway. 

MR. BAKER: Yes, she did. There is no way to play 
it without her in the courtroom, your Honor. 

(whereupon, the video deposition was continued and 
completed.) 

MR. BAKER: Your Honor, at this time we want to 
switch witnesses. 

THE COURT: Okay. 

MR. BAKER: We are call Mr. Barr. 

THE COURT: The issue that we were discussing 
earlier, will that come up? 

MR. BAKER: It will come up. 

THE COURT: At the first part? 
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MR. CLARK: Eventually. 

(The following bench conference was had outside the 
hearing of the jury:) 

THE COURT: Counsel, I was looking at the order in 
here that was actually entered in the van Alfen case, what 
they were asking the court to do is to strike rebuttal 
reports, what the court ended up doing in van Alfen was 
just not striking the rebuttal reports. 

However, then tentative order in the St. John case, 
the court -- the way I read this, is that the court is 
saying that they cannot point out, cannot use the 
terminology big mistake. They can talk about an error. But 
there was additional language in here something about a DFR 
that was actually in the van Alfen. 

MR. BAKER: I won't be talking about that. 

THE COURT: So we don't need to deal with that? 

MR. CLARK: NO. 

THE COURT: So I will allow them to talk about an 
error. I will not use the terminology, and you can use the 
order in the van Alfen case. 

MR. BAKER: Okay. 

(within hearing of the jury:) 

THE COURT: Counsel, do we want to take a morning 

break? 

MR. BAKER: Yes, ma'am. 
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THE COURT: We're in recess for 15 minutes. 

All rise while the jury exits. 

(whereupon, a short recess was had.) 

THE COURT: we're back on the record. Members of 
the jury are present as well as counsel and their clients. 
Mr. Baker, you can call your next witness. 

MR. BAKER: Your Honor, at this time we call 
Michael Barr. 

THE COURT: Raise your right hand, please, 
(witness sworn.) 

MICHAEL BARR, 

called as a witness, after having been first duly sworn, 
testified as follows: 

DIRECT EXAMIN ATIO N 

BY MR. BAKER: 

Q Tell us your name, please. 

A Certainly. I'm Michael Barr. 

Q where do you live? 

A I live in Maryland, near Baltimore. 

Q And are you married? 

A I am. 

Q And do you have any children? 

A I have two boys, six and ten. 

Q How old are you? 

A Forty-two. 
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Q And could you tell us what you do for a living? 

A I'm an embedded software expert. 

Q what does that mean? 

A That is the question everybody always asks, well, I 
will have get to what embedded software is in a minute, but 
let me tell you a little bit about my background. I have 
studied electrical engineering; that is what my degrees are 
in. I have two of them, both from the university of 
Maryland, a bachelor's degree and a master's degree. Along 
the way, earning my electrical engineering degree, I also 
studied software. 

Q Let me stop you there. Pull the microphone a little 
closer, we're having trouble hearing you. As with Dr. 
Koopman, slow down a little bit. 

A Sure thing. 

Q You were talking about your software experience. 

A Yes. So I actually started programming when I was 

about 12. I grew up in a house where we had some of the 
early personal computers like Apple II and before that one 
from Texas instruments. So I became interested in 
programming. And all throughout my education in electrical 
engineering, which really focuses on the design of circuits 
and chips, circuit boards and other electrical aspects, I 
was also studying software programming, so I have been 
programming for about 30 years. 
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Q Who do you work for? 

A I am co-owner of a company called the Barr Group. I 
have a partner who runs the business. I'm the chief 
technical officer of the company, so I oversee our technical 
activities. 

Q what is it that the Barr Group does? 

A The Barr Group helps companies that make embedded 

systems, we will get to what they are, I promise you. we 
help to them make them more reliable and also more secure. 

So we help all kinds of different companies and a lot of 
different industries, we help companies who make -- I 
myself have worked on receivers for Direct TV. So if you 
have a satellite dish or a cable box in your house, I have 
worked on a product like that. 

I have also worked on products that are industrial 
control systems that are used, for example, in a factory to 
do manufacturing. I have consulted with companies and have 
been involved with the design of a number of medical 
devices, both medical devices that are used in treating the 
patients, and also those like pacemakers that could injure 
someone if they malfunction. 

And the Barr Group has a number of clients in a 
range of industries like that, so industrial controls, 
consumer electronics, medical devices, et cetera. 

Q And I know we have got a slide up here with your 
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background on it. Have you put us a PowerPoint slide 
together to help demonstrate some of the testimony you will 
give us today? 

A I have. 

Q All right. I know you mentioned a couple of your 
degrees. Can you go back and tell us when you received 
those degrees, please. 

A Yes. My bachelor's degree was 1994, and my master's 
degree was 1997. 

Q in terms of the Barr Group where you work now, when 
did you start that company? 

A The Barr Group was founded about two years ago, but 
it came out of another company that was founded in 1999 
called Neutrino (phonetic.) 

Q For the jury's benefit, can you give us a little bit 
of your work and background before you started the Barr 
Group. 

A Sure, when I finished my bachelor's degree, I went 
to work for a company that developed a lot of the 
telecommunication systems. The company was called Hughes 
Network Systems, and they made everything from satellite 
receivers for point-of-sale equipment. Like, a gas station 
in a remote area would receive and upload its pricing 
information and sales records through a small satellite 
terminal, and also base station equipment that is used in 
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cellular base station, when you pick up your cell phone and 
it connects to the tower, we made equipment for the tower. 

I was involved with a project there that was called 
an air phone. It was one of the first telephones on an 
airplane, so we were involved in enabling that system, and I 
worked on one of those products there. After that, I 
finished my master's degree, and I went to work for a 
company that had spun out of NASA. 

NASA has a green belt location just outside of 
Washington, DC, and some engineers had left there and formed 
a company to work on satellite ground station equipment to 
communicate with satellites. And I worked there for my next 
job. And pretty much after that, I started consulting and 
founded the Neutrino company. 

Q After your work with the group that came out of NASA, 
is there anything else that you did before working with the 
Barr Group? 

A That was the foundation of Neutrino in 1999. 

Q Looking here at your slide with your background and 

experience, it mentions that you have three patents, what 
do those patents involve? 

A I'm a named inventor on three patents, I'm not the 
only inventor on any of them. Those are related to my work 
with various companies that I have consulted with. So in 
one instance, the first patent was related to a piece of 
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physical therapy equipment which is like a -- kind of like a 
piece of gym equipment, but it is more important that it be 
safe because it is usually helping someone who is injured to 
recover a muscle injury or something like that doing 
repeated twisting motions or lifting motions and things of 
that sort. So one of those is related to -- not all of them 
come off the factory floor identical because of mechanical 
difference and that is related to the calibration to make 
sure they all behave the same way through the software. 

Q Now, I know you discussed some of your work in terms 
of your consulting work, but you mentioned up here that you 
have done specific consulting and training in embedded 
software process and architecture for reliability. 

Can you explain to us what embedded software 
process would mean in that context. 

A Sure. I think Dr. Koopman spoke at length about 
process for safety critical system design, and he talked 
about some of the international standard safety processes 
like MISRA. And I think he talked about 61508, which is an 
international standard not specific to automotive. 

So software process relates to how the software is 
specified and built. And there is -- that is the process. 
The architecture consulting relates to once you decided what 
you want to build and that you're going to follow a coding 
standard and do those other things to ensure that the 
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process is in place, architecture relates to the design of 
the software at a high level. 

Before you get down to the individual line of code, 
how do you structure things, and that is the architecture. 

It i s kind of like the architecture of a building, in the 
architecture of a building, they're not necessarily 
concerned with who is in what office and how it is 
decorated, they're concerned with how many bathrooms there 
are, how many floors there are, what the supports are. 

Q It also mentions here reference to you served as 
editor and a columnist and a conference chair. Can you tell 
us about that. 

A Yes. For about 3 1/2 years I served as editor in 
chief of an industry publication with about 60,000 embedded 
software engineers as readers. Believe it not, there is 
that many of them. And the magazine focused on good 
practices for designing embedded software. And our readers 
were our authors, so I was serving in a selection role 
selecting the best articles, the best techniques, and making 
sure that they got published. 

Q within that role, would that have been the time that 
you published some of the 65 articles and papers that we see 
here? 

A I started writing articles before I did that, in 
fact, that's how I ended up getting involved in that. My 
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first article was published in 1997. And then I published 
articles and columns during that time, during those 3 1/2 
years, but I continued to do so right up to the present day 
and other publications as well. 

Q And you reference three books, and we have a picture 
of those three books? 

A we do. 

Q Can we see that, please, when was this first book, 
Programing Embedded Systems published? 

A This first book was published in -- the copyright 
date is 1999, but it came out late 1998. And that book was 
actually very popular. It is a book that introduces new 
engineers and programmers to the aspects of programming that 
that are specific to designing embedded systems. So it was 
sold in tens of thousands of copies. It was -- I have up 
here a picture of the Japanese cover. So around 2000 or 
2001, this book was translated into Japanese, Taiwanese, 
Chinese, and Korean. 

Then later in 2006, another author came along and 
made a second edition of it, and I served more as an 
editorial role at that time. 

Q what is the next book? 

A The next book is called The Embedded Systems 
Dictionary. I wrote that book in 2003 with another industry 
experts who had been a columnist and a contributor to the 
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magazine that I was editor in chief of, and it defined about 
3,000 basically engineering terms that people use our in our 
industry, in the embedded system space, provided concise 
definitions of them so that we could all -- many of them we 
did have a common understanding, but there were certainly 
some where we didn't, so we tried to rectify the language 
and clarify some things. That was published in 2003. 

Q what about the last book? 

A The last book was published in 2008, and that was 
called The Embedded C-Coding Standard. There has been a 
second edition of it in 2012. And you heard about MISRA-C, 
and I will also talk a little bit about MISRA-C today. This 
is not a replacement for MISRA-C. There are some embedded 
programs that are not safety critical, and can use this 
standard, which is designed specifically to keep bugs out of 
systems and has some overlap with MISRA-C but is a 
lighter-weight version, if you will. 

It is also complimentary with MISRA-C in that 
MISRA- C is silent about style. It is more about rules that 
you should use to make your program safer, and this is both 
some of those safer rules and also stylistic rules to make 
your programs more readable and easier to obtain. 

Q All right. I will back up just a minute. You talked 
about your consulting work and the things that you do with 
Barr Group. As part of your consulting work, have you from 
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time to time done exactly what you're doing here today, 
acting as an expert related to software and embedded 
systems? 

A I have. 

Q what sort of things have you done in terms of that 

type of consulting? 

A Probably the most common engagement I've been 

involved with is patent disputes. So I've worked on patents 
related to smart phones, set-top boxes like the Direct TV 
receivers. Sometimes there are disputes between those who 
patent an idea and those who make a product about whether 
there is an and infringement between the two. And I often 
get involved in looking at the source code for the product 
that the accused to see if it infringes the patent or not. 

Q You just mentioned the word source code. And I know 
we will talk about it a lot today. Can you go ahead and 
tell us what source code means. 

A Yes. I have a example of it coming up, but the 
source code is just simply for now the human readable part 
of a software program. So there is the human readable part 
that the programmers write and maintain, and then there is 
the nonhuman readable binary part or version that the 
computer understands. 

And there are tools called compilers and things of 
that nature that convert the human readable into the machine 
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readable part. 

Q Does the source code, I guess from my layperson's 
view, the instructions that have been written by a human 
that the computer reads so it knows what to do that? 

A That is a good general explanation of it. Yes. 

The source code is what the humans write to tell the 
computer what to do. 

Q Now, you have been retained in this case to look 
specifically at certain aspects. Can you tell us what you 
were asked to do in this case. 

A Yes. So I have reviewed the source code for the 
engine control module in the 2005 Camry vehicle that was 
driven that day. And also in the -- I reviewed the facts of 
the incident in terms of what happened. And then I have 
expressed opinions with respect to the software and with 
respect to the incident as it relates to the software. 

Q So you were asked to look at the software and 
determine whether it worked or not in this vehicle? 

A That's correct. 

Q And you mentioned looking at several things, in the 

information you've looked at, have you looked at 
depositions? The jury has heard about depositions. Have 
you looked at depositions? 

A I have. 

Q Have you looked at what I call fact witness 
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1 depositions from people who saw or witnessed things related 

2 to the wreck? 

3a I have. 

4 Q There are a number of experts, jury already heard 

5 from a few of them. Have you looked at expert depositions? 

6a I have. 

7 Q There have been -- there has been some testimony 

8 about Toyota documents. Have you looked Toyota documents 

9 that have been produced? 

10 A A lot. A lot of Toyota documents. Yes. 

11 Q There is a bunch of boxes back here. Have you looked 

12 at enough documents to fill many, many boxes? 

13 A I've had access to probably more pages of documents, 

14 but many of them were produced electronically, so I don't 

15 know how big they would be when printed. But I imagine it 

16 would be larger than that. 

17 Q Have you used those as part of your analysis to 

18 render opinions in this case? 

19 A Yes, I have. 

20 Q Also, as part of your analysis in this case, have you 

21 reviewed sworn testimony of people who claim to have also 

22 had unintended acceleration events? 

23 A I have. 

24 Q And have you used that to help you analyze the facts 

25 in this case? 
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A Yes, I have. 

Q As part of your review in this case -- and let me 
step back -- this is not the first Toyota UA case that you 
have been involved with, correct? 

A That is correct. 

Q Have you written reports related to those other 

cases? 

A Yes. 

Q And in a general context, have you also written a 

report that embodies much of your analysis of Toyota 
software or source code? 

A I have. 

Q Does it encompass 13 chapters? 

A Yes. It consists of a summary report and 13 chapters 
of detai 1 . 

Q is this the approximately 800 pages worth of analysis 
that you have done related to Toyota software? 

A That's right. 

Q All right, what I would like to do now is move on to 
your analysis and talk about some of the terms that we will 
be hearing about, okay? 

A So embedded systems is probably something you're 

wondering about, it is all over my bio and things like that. 
Embedded systems are simply computers that you don't think 
of as computers, your microwave oven, this laser pointer, 
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1 the Nike fuel band that I wear as a watch and a pedometer. 

2 Those are all examples of embedded systems. Like it or not, 

3 the world is producing over 10 billion of these a year. 

4 in fact, when you think of a computer and you think 

5 of a laptop or a desktop computer, that is about one or two 

6 percent of all the processers that are being made. A lot of 

7 less expensive processors are going into everything from 

8 these kinds of examples to satellites in the sky, your TV. 

9 That TV that is there has a computer inside it and software. 

10 So those always consist of the electronics, a processor and 

11 software. 

12 Q And as these embedded systems, computer embedded 

13 software systems that you're trained and have experience in 

14 analyzing and writing? 

15 A Yes. 

16 Q Are these systems also included in cars? 

17 A They are. They have been included in cars for quite 

18 a while. One of the early motivating reasons for including 

19 a computer in the car was related to emissions control. So 

20 putting a processor and software at the heart of the car in 

21 order to control the spark timing is something that has been 

22 done going back several decades now. 

23 Q As we see on the slide, has it evolved to where it 

24 encompasses many, many functions that go on within an 

25 automobile? 
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A Absolutely. It was probably 2006 when I saw a BMW ad 
that said for the series 7 they said we have over 100 
processors inside this car. And that included things like 
in a seat, when you raise and lower electronically the seat, 
there may be software involved in that with some cars, when 
you can remotely control the mirrors, there may be software 
involved with that. Some of the cars have automatic, the 
mirror will automatically go back. 

So, basically, a modern car is a network of 
computers, we will talk a lot about the engine control 
module, but there are also air bag computers, and there are 
also anti lock brake computers, and there are a number of 
other safety systems in a car that are embedded systems. 

Q And we will focus through your testimony on the 
electronic throttle control system? 

A That's correct. 

Q Let's move then to what you have specifically looked 
at in terms of Toyota's source code for the electronic 
throttle control system. 

A So I've had access to a secure room located in 
Maryland that had Toyota's source code and a number of other 
source code related documents produced in it. And in that 
room, I had access to the source code for the engines of a 
number of different Toyota vehicles, including the 2005 
Camry, but also other models like the Lexus ES, the Tacoma 
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1 and some others. And for many model years, from about 2002, 

2 when Toyota first introduced the electronic throttle 

3 control, until generally 2010 model years. 

4 Q And you mentioned here what you saw was subject to 

5 confidentiality agreements? 

6 A Yes. 

7 Q I mean, just any of us could walk in off the street 

8 to this facility that used to be in Maryland and take a look 

9 at Toyota source code, could we? 

10 A No. There were only 12 experts have ever been 

11 allowed in. 

12 Q As I understand, that secure facility has now been 

13 moved to California? 

14 A Yes. It was recently moved. 

15 Q And a moment ago, we heard some testimony very 

16 briefly where some phrases from the source code were used 

17 when we were listening to Mr. Osawa's testimony. Do you 

18 recall that? 

19 A I do. 

20 Q And is it those bits of information and how they're 

21 described in Toyota source code that are subject to this 

22 confidentiality agreement? 

23 A That's correct. 

24 Q is the operating system for these vehicles you listed 

25 here from 2002 to 2010, the Camry, the Lexus ES and the 
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Tacoma substantially similar? 

A Yes. There are, to be clear, there are two different 
of operating systems that Toyota used in that time frame; 
one was a version of Itron, (phonetic) and the other was a 
version of OSEK. And I will come back and talk, more about 
OSEK which is relevant to the 2005 Camry. with respect to 
the details that I will talk about, they are substantially 
si mi 1 ar. 

Q in terms of the software that actually runs the 
electronic throttle control system for the Camry, the Lexus 
ES, and the Tacoma in the year models that you have up here 
2002 to 2010, is that software substantially similar for the 
analysis that you're doing? 

A Yes. 

Q And I guess I should have asked this earlier: I know 
you've testified in court before, but have you ever 
testified in court about the Toyota software issues that 
you're going to talk about today? 

A No. This is the first time I've talked in court 
about what I've seen in this code room. 

Q The type of software review that you've done in terms 
of Toyota software code, is that standard type of procedure 
used to evaluate source code for any type of product? 

A That experts see source code is not unusual, but the 
protections around this source code are certainly unusual in 

***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



38 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


my experience. 

Q All right. And I don't know if you can explain it to 
us. Give us just a general idea of exactly what it is when 
you go to review source code, what is it you're doing? Are 
there books there that have the source code written out? 

A Thankfully no. The source code review involves 
looking at electronic documents on computers. There is 
basically a room the size of a small hotel room that is 
disconnected from the internet, no cell phones allowed 
inside or would work inside, in that room there is about 
five computers and some cubicles. 

in there, it is possible to believe view on the 
computer screen Toyota's source code, we couldn't take any 
paper in, take any paper out, couldn't wear belts, watches. 
There was a guard. It was worse than airport security was 
on the way here. Each time in and out, even to go to the 
bathroom. 

Q How much time did you spend doing an analysis of 
Toyota source code? 

A Countless hours. I haven't -- I mean, over a 
calendar period, it has been approximately 18 months that we 
had access to the code. I guess now it is maybe closer to 
20 since the first production of source code for those 
vehicles. And so I was supported in there by a number of 
other engineers, including three from my own team from the 
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Barr Group. 

Q And we heard some discussion about a NASA study 
related to this Toyota UA issue and the software. Did NASA 
have access to some of this source code? 

A NASA was brought in to look at source code because 
NHTSA couldn't get to the heart of the problem, it didn't 
have any software engineers on staff. So NASA was given 
access to a few model years of Camry source code, as I 
understand it, at a Toyota facility in California. 

They didn't have as much time. They didn't have as 
many vehicles, and so what we did actually was to build on 
their work. First, we confirmed that what they were seeing 
was consistent with what we were seeing, at least for the 
vehicles that they had, the 2005 Camry was the one they 
wrote about. And we also dug deeper, and so we pushed on 
various topic issues researching different aspects of the 
software design. 

And importantly, NASA had a very tight time line 
and not necessarily unlimited resources or unlimited time to 
review the code. This is a Toyota document where they were 
discussing the NASA project internally. And Mr. ishii's 
name -- and apologies for mispronouncing these Japanese 
names, I'm sure -- Mr. ishii's name is on this document, and 
he is talking about how he or someone was talking to him 
about NASA has a very short time line, only a few months to 
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reach their conclusion. And that was the NASA process. 

Q And I know we will talk about it in depth as we go 

along, but did NASA have access to as much information as 

you ultimately had in reaching conclusions about Toyota 
software? 

A No. Even just for the 2005 Toyota Camry we had more 
documents, we had more source code, we had more things than 
NASA had. 

Q Can you show us an example of what source code looks 

like. And I know what is on your slide is not Toyota source 

code, it is just an example, right? 

A That's correct, we don't need to clear the room. 

This is just a simple example of source code in the same 
programming language that Toyota's main computer source code 
was written in. And that is the C programing language, the 
letter C. And it probably looks like nothing, right? But 
Dr. Koopman talked about how it is a -- like a recipe. 

And so this is basically, what I put here, is some 
sample code in the C language for a recipe for something 
that most children in first grade or second grade can do, 
which is to figure out if you give them two numbers which 
one is larger. So this is a recipe for a computer to take 
any two numbers, and the recipe name is also the function 
name, which is larger of. 

Now, I chose that name. I could have chose a less 
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descriptive name, or I could have chosen a more descriptive 
name. And the ingredients that the recipe relates to are 
what are called variables, so here A and B. So this is a 
generalized recipe. You can give it any two numbers. 

So you might tell a child is 67 bigger than 63? My son can 
do that. And this computer can do that by passing 67 as A 
and 63 as B, and then the recipe will compare them. 

The first line here says if A is bigger than B, so 
if 67 is bigger than 63, then return 67. And if the 
situation was reversed, let's say it was 63 first and 67 
second, then this "if" would fail, and we would go to the 
"else," and then we would return the 67 that came into 
second -- called parameters when they are passed -- so that 
is the recipe for comparing two numbers to see which one is 
larger and returning back the larger one. 

So another part of the software can use this recipe 
at any time. And the last thing that I wanted to talk to 
you about is these things over here between the slash stars, 
and those are just simply comments. 

Q Are both of those comments? 

A They are. I only marked one of them. So the 
comments are simply more human readable stuff, but that 
stuff is it never seen by the computer. That stuff is there 
for the benefit of the programmers to explain what they are 
trying to do. So one way of explaining what you're trying 
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to do is pick good variable names and good function names. 
And another way to explain what you're trying to do is to 
write a lot of comments or a commentary to explain what it 
is that you're trying to do. 

Q All right, in terms of Toyota's source code that you 
would have reviewed for your analysis, I mean, you have 
shown us something here in English, was it in Japanese? 

A The source code was written in English. The variable 
names were in English. The function names were in English, 
and the things of that sort. The programmers were working 
in English. However, the comments were predominately in 
Japanese, we actually had a tool that came from a Japanese 
company that called Atlas that we could run in the room to 
translate things. 

At first, we would cut and paste a particular 
comment into this tool, and we could read what it said in 
English. But then we actually had a small project where we 
wrote an automated process of converting all the comments at 
once into English so we could look at the code with the 
original English source code exactly as it had been and the 
translated comments next to it. Not everything was 
translatable automatically like that, but most of it was. 

Q And I know you have given us an example here of 
comments just so we understand what you're talking about. 

Do you always have comments in lines code? 
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1 A Generally there are comments in source code. There 

2 need not be in order for the compiler to make a program, but 

3 they're generally are and should be so that the humans 

4 working with the code can understand it. 

5 Q And you just mentioned a word there, compiler, in 

6 terms of reading source code, what is a compiler? 

7A a compile is a development tool that programmers use. 

8 It is another piece of software, one that they use to take 

9 the human readable code and turn it into machine readable 

10 binary code that can be downloaded in your car, for example. 

11 Q when you say it is turned into binary code, what is 

12 binary code mean? 

13 A Sorry. Binary codes is ones and zeros. And the 

14 machine knows what to do with them because it knows that it 

15 should group them together into groups of 16 or groups of 32 

16 and that certain ones are instructions that it know what to 

17 do like add two numbers, compare two numbers, see if 

18 something was zero, move to another address, things of that 

19 sort. And the compiler generates sequences of these 16 or 

20 32 bit instructions, which are a bunch of binary bits. And 

21 the computer knows how to interpret them and what to do to 

22 follow the recipe in that situation. 

23 Q Now, you mentioned using your tool to help you 

24 translate part of the comments into English, were you 

25 required to use any other types of tools that would help you 
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or assist you to read the source code while you were in the 
source code room? 

A well, we weren't required to necessarily, but we had 
access to a number of tools that we did use. we requested 
that certain tools be placed into the room when the room was 
open. And those tools included the actual Green Hills 
compiler that Toyota used, a related set of utilities that 
would have been used in a software development process, 
names I don't need to bother you with. 

And also, importantly, a simulator which Green 
Hills provides, along with the compiler, which is able to 
pretend to be the target processor so that you can run code 
and step through it one instruction at a time, if you like, 
or set places where you want to stop and see what is going 
on. we did take advantage and use that simulator in our 
analysis of the source code in the code room as well. 

Q would the simulator help you to read or understand 
the instructions in the code as if it was running in the 
vehicle? 

A Yes. But of course the simulator itself is just 
running on a desktop computer, so it is not a vehicle. So 
it cannot simulate all the things that a vehicle can do. 

Q were you able to run certain tests on the software in 
the source code room? 

A Yes. 
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Q What sort of tests did you run? 

A well, so, for example, we were examining the 

operating system and understanding how the operating system 
worked, and we were able to use the simulator to both 
examine what is happening while the computer ran or what 
would be happening in the car. And also to analyze certain 
aspects of its behavior to see if it functioned as it said 
in the user manual, for example, or as it said in the source 
code and things of that sort. 

Q As you're reviewing the source code, did I hear you 
say earlier that you couldn't take notes and carry them out 
of the room? 

A No. To-do lists were a bit of a problem. You had to 
remember that you wanted to get something when you got out 
of the room and then go look it up, and you had to remember 
what it was you learned when you went back into the room. 

It was quite an impediment to the process. 

Q while you were in the source code room using some of 
these tools and reviewing the source code, were you able to 
identify any coding rule violations? 

A Yes. Many. 

Q was there a specific tool that you used to do that, 

or was that a manual process that you yourself had to go 
though? 

A well, checking for compliance with coding standards 
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can be done both by reviewing things as a person sitting 
there looking at the code, but that is not necessarily 
efficient. So for some coding rules, at least, there are 
tools called static analysis tools which look at the source 
code for you and look for certain types of rule violations, 
and we had access to several tools of that sort in the code 
room, and we used them. 

Q And you were here last week for Mr. ishii's 
deposition? 

A Yes. I heard that. 

Q He mentioned something about source code modules. Do 
you understand what he was talking about? 

A Yes. 

Q Explain that to us briefly. 

A Yes. So the source code consisted of for a 
particular vehicle on the order of a million lines of code. 
And so by a line of code, I mean like a line in a document. 
So if you look at the page of a word document, it might have 
50 lines on. if you were to print out a million lines of 
code, you can imagine it would be pretty large. 

The source code is generally, and Toyota's was, 
divided up into what are called modules. So related 
recipes, or parts of the recipe are grouped together in 
files, just like I broke up my report into a summary and 13 
chapters. They broke up their software into approximately 
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4,000 files. Don't quote me on that number, but it is on 
that order. 

Q So while you're there, knowing that they are in 
modules is your focus to look for the modules that relate to 
electronic throttle control? 

A well, in one since there are modules that relate to 
electronic throttle control because they are recipes that 
are specific to electronic throttle control. But in another 
sense, it all relates to electronic throttle control because 
it is all running on the same processor. So one part over 
here that might not appear to be named as throttle control 
recipes can actually interfere with and cause problems with 
the throttle control recipe. 

So it is not that we only looked just at the code 
that said, Here are the throttle recipes, we did, but we 
also had to look at other parts of the code as well. 

Q Through this source code review, were you able to 
identify bugs within Toyota's software? 

A Yes. 

Q what sort of tools did you use to identify those 
bugs? 

A Most of the bugs that we -- that I wrote a whole 
chapter on bugs that we found in their code -- most of those 
were found inadvertently. They were found when we were 
reading some module to see how it worked because we were 

***** THIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



48 


1 understanding the system, and we found that there was a bug 

2 in the code. 

3 The other way that we found bugs was when we ran 

4 the static analysis tools, for example, to see if there were 

5 rules violations. Sometimes those rule violations or the 

6 results from the tool would be -- would turn out to be bugs. 

7 So the static analysis tool doesn't say this is a bug, it 

8 says there might be a bug here, we investigated those, and 

9 some of them were bugs. 

10 Q Did you find all the bugs in the software that you 

11 reviewed? 

12 A Absolutely not. 

13 Q Why not? 

14 A Because there is a lot of bugs, and all indications 

15 are that there are many more, we haven't specifically gone 

16 out looking for bugs. The metrics, like the code complexity 

17 and a number of global variables, indicate the presence of 

18 large numbers of bugs. And just the overall style of the 

19 coded is suggestive that there will be numerous more bugs 

20 that we haven't found yet. 

21 Q And we have talked about bugs. Can you for the 

22 benefit of all of us tell us what you mean when you say 

23 there is a software bug. what does that do to the software? 

24 A Software bug causes the software not to work right. 

25 It can be a little thing, if you're editing a word document 
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on your computer, you might see that suddenly one area of 
the screen is not drawing right, and you have to refresh or 
close the application and bring it back. So that little 
momentary glitch that you might see, or it could be 
something big like the whole program crashes or the whole 
computer crashes and you have to start over. 

Q You were here earlier and heard Mr. Osawa's 
testimony? 

A I did. Yes. 

Q You understand that he was a Denso engineer? 

A I did. 

Q And Denso provided the monitor CPU within the 

electronic throttle control system? 

A Yes. That's one of the things that they did. 

Q Did you hear his testimony where he said they had 

never found any bugs in their software? 

A I did, but I didn't think he was just referring just 
to the monitor CPU. 

Q My question goes back to this: is there any software 
that you're aware of that does not have bugs? 

A No. 

Q And we will talk more about this later, but I want to 
go ahead and bring it out. The term task death. Can you 
give us just a general description of that, because we will 
need it as we go on. 
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1 A Sure. I think it is a bit premature. I can give you 

2 briefly that a task death is a type of software malfunction. 
5 Q Were you able to test for task death while you were 

4 in the source code room? 

5 A Yes. 

6 Q And were you able to cause a task death in the source 

7 code room? 

8 A Yes. we able to confirm that tasks could die in the 

9 Toyota ETCS and that would cause a software malfunction. 

10 Q Go to the next slide. Tell us why you put this in 

11 here. 

12 A Yes. Before we talk about the software anymore, I 

13 think it is important that we all sort of have a high-level 

14 view of what is going on. And you might know how a car 

15 works, you might have thought about it some, but not in a 

16 while. Let's start at the beginning. The driver has two 

17 ways of controlling a vehicle's speed or making it go 

18 faster. One of those is using the accelerator pedal. The 

19 more you push down, the faster the car goes. The other is 

20 using the cruise control where the computer and the software 

21 will take over and keep the speed at a constant. 

22 On the right-hand side, I have drawn fuel, air and 

23 spark. And that's because you need those three elements in 

24 order to make the engine go, at least in the gas engine. A 

25 useful analogy is if you have ever pushed a child on a 
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swing, or someone on a swing, you know that you are giving 
them motion, but they also have a certain motion of their 
own that will continue if you stop. 

Same is true with a combustion engine. The 
combustion engine is causing the piston to go up and down 
and the crank shaft underneath to rotate and move the 
pistons up and down together. There is a certain amount of 
that motion that is like the swing going back and forth that 
will keep going briefly. 

The spark, or the fuel, first of all, is you have 
to have energy. You, yourself, have to have energy in order 
to push them. That's where -- the energy comes from the 
fuel. The spark relates to the timing when you push, if 
you push at the wrong time, you know you will not get as 
much umph, you are not going to cause as much of an increase 
in the power of the swing unless you hit at the right 
moment; that's what the spark does. The spark ignites the 
fuel at the right time. 

The air that is in chamber that is compressed in 
the chamber with the fuel, that is coming in through 
something called the throttle. And that is controlling how 
hard you push. So the more air that you let in through 
throttle, the more push you are giving to the swing; 
therefore you will get a faster engine out. And the spark 
is just going to follow along and hit it at the right time. 
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The air is really going to provide the power for the engine. 

Q So is our throttle control system and the area that 
we're concerned about what is controlling the air in the 
system? 

A we are. And I will get there in a minute. So the 
throttle, for a minute, it is a fancy word, in a car it is a 
fancy word, but it is really no different than you turning 
up the hot water in your shower. You get in the shower and 
your turn the knob, what is happening inside that pipe is 
there is something blocking the water, and then there is not 
something blocking the water. 

You can make it 100 percent of all the capacity 
that it has hot, or you can make it zero percent of all the 
capacity that it has hot. The same is true in the car's 
engine, when you close the throttle, you're robbing the 
combustion engine of its fuel, of its power. There is still 
the gas, of course, but you need fuel and air ideally in a 
certain ratio in order to cause the explosion. 

So the air comes through the throttle, if you 
think about an older car, where your foot on the accelerator 
pedal is always adjusting the throttle, your foot is 
directly in control of how fast the engine is going, and 
that is what is giving the car power. The change to the 
electronic throttle control, which with Toyota began in 
about 2001 in the Prius and 2002 in the Camry, at least in 
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the united States, that means that earlier car computers had 
been in charge of the spark and the fuel. 

They had been in change of two of the things that 
make a car go. But the driver had always been directly in 
control of the air, which is directly related to how much 
power the engine has. when electronic throttle control 
comes in, you have software that is now responsible for all 
three of them at once. So you have a portion of the 
software, the job of which is to make the spark at the right 
time, inject the fuel at the right time and the right 
amount, and open the throttle a certain amount. 

And the throttle opens to allow air to actually be 
sucked in. Not blowing in air, but instead the vacuum that 
is left behind, after the previous combustion, you have 
blown up everything in there, every air particle and every 
gas particle, for the most part is gone. So you have to put 
in both new fuel and new air. So it actually the vacuum 
sucking the air out of the throttle, out of the tube, into 
that chamber that is causing it. So you're just allowing 
more air to flow in and the combustion is taking it from 
there. 

The software in electronic throttle control is 
responsible for all three things, which means if the 
software malfunctions, it has control of the engine and can 
take you for a ride, what is of particular importance is 
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1 that there is another part of the software that is looking 

2 at the driver controls, looking at the accelerator pedal and 

3 cruise control -- it is looking at more than that, but that 

4 is a simplification, that is appropriate right now -- so 

5 there is a part of the software looking at what the 

6 accelerator pedal position is, is it down, is it up, how 

7 much down. Then that is translating that into a calculated 

8 throttle angle. And then another part of the software is 

9 performing the sparking and the throttle control. 

10 Q is this what is referred to when we heard it here 

11 drive by wire? 

12 A Yes. Some people call it drive by wire. It is 

13 confusing to me because there used to be a wire and they 

14 took the wire out and they call it drive by wire. 

15 Q Do you have an example of what Toyota's computer 

16 module looks like that controls these things? 

17 A Yes. 

18 Q So I think you have a laser pointer on that thing 

19 that you have? 

20 A Do we have the actual board. 

21 Q I do. Explain to us what we have here. 

22 A So this is a photograph of the ECM. And this ECM, or 

23 engine control modules, has two big chips on it. Has a 

24 bunch of other chips, capacitors, circuit tracers that you 

25 can see, and other things. This biggest one, the square 
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1 one, is the main CPU. It is a type of a CPU or a model of 

2 CPU called a V850. That is kind of the equivalent of 

3 calling it a Pentium. V850 is the model number of that 

4 processor. Comes from a company, a supplier of Toyota that 

5 used to be called NEC. It has since changed its name. 

6 Then there is a second rectangular chip here, and 

7 that chip is what has been referred to by various witnesses 

8 as the monitor CPU, the ESP-B2 and sometimes the sub-CPU. 

9 importantly, each of those is a processor with its own 

10 software. Then, of course, all together they comprise an 

11 embedded system. 

12 Q So the software that we're going to talk about is 

13 stored within components on this board? 

14 A Almost always when I'm talking about the software, 

15 I'm talking about the software on this main CPU, which 

16 performs the throttle control, the combustion, monitors the 

17 accelerator, and all those things, cruise control. But 

18 there is also software, and I will specifically call out 

19 when I'm talking about this monitor CPU and its software. 

20 Q This is from a 2008 Camry? 

21 A This particular photo is from 2008 Camry. 

22 Q is the 2005 generally very similar to this? 

23 A The chips would be moved around a little bit, but in 

24 terms of the electronics of what is there, there is a V850 

25 processor, there is an ESP-B2. From a substantial 
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similarity point of view, they are very similar. 

Q Can you tell us what this is. 

A That is the very 2008 ECM that this photograph 

reflects. 

Q would this be the general size of the board that 
contains these compute components with a 2005 Camry? 

A They are about the same. Correct. 

Q Let's talk about safety critical systems? 

A So a safety critical system is an embedded system, 
but it can also kill or injure someone. So my Nike fuel 
band is not going to kill or injure anyone. But a car is an 
example of an embedded system, at least some of the 
computers inside it, can cause injury. Now, it wouldn't be 
a case necessarily of the mirror control, but it would be 
the case of the engine control. 

Q So do you consider the electronic throttle control 
system to be a safety critical system? 

A I do. 

Q what sort of things can possibly go wrong with such a 

system? 

A well, the risks in such a system are manyfold. The 
first is that these electronics are being driven around, 
bounced around, splashed around, and in a generally rough 
environment. A lot of embedded system designers don't have 
to worry about their products doing anything other than 
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sitting on a desktop, but a car is a very harsh environment. 

So it is a noisy environment, electrically noisy, 
there is a lot of vibrations. And so one of the things that 
can go wrong -- and this can happen in any electronics, but 
it can particularly happen in a car electronics -- is some 
sort of glitch in the electronics. And that means that 
momentarily one bit inside a chip flips or an electrical 
pain takes on the wrong value. 

with a digital value, if you have an in-between 
number between zero and five volts, you might inadvertently 
get momentarily wrong signal, and that can affect what the 
software does. So that is one thing that can go wrong, a 
glitch in the hardware. You heard Dr. Koopman talk about 
the bit-flips. Another thing that can go wrong is that 
there could be a software bug and it can be activated at any 
time. So the software bug is latent, always there, but then 
you happen to be driving a car that day and the software bug 
suddenly, because of something the car did or a glitch in 
the electronics or something else, it suddenly activates, 
and now you have a malfunction. 

And any reasonable -- any program of reasonable 
size is going to have bugs in it, so you have to, as a 
designer, expect random hardware faults and also there are 
software bugs in there. 

Q Let me ask you a question about that: in terms of 
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1 software bugs, just because they're there will they always 

2 cause a malfunction? 

3 A Just because they're there doesn't mean they will 

4 always cause a malfunction. No. 

5 Q Are some bugs such that there has to be a specific 

6 condition met with the product, the car, whatever in order 

7 for them to manifest themselves? 

8 A Yes. So just going back to my simple example of the 

9 larger recipe, that is a very simple recipe. But suppose it 

10 was a more complicated recipe and we gave it two numbers, 

11 you know, 8,012 and a million and 16. And for that case, 

12 maybe because one of the numbers was over a million or maybe 

13 because of the difference between the two numbers or maybe 

14 because of a bounce that this car did at that very moment or 

15 an electrical glitch or something else, it gives the wrong 

16 answer, instead of saying the larger number is a million, 

17 it says the larger number is 8,000. That is an example of a 

18 bug that was there. It might have never caused a problem, 

19 but in that particular instance, it caused a problem. 

20 Q For example, there has been some testimony or 

21 discussion in this case that Ms. Bookout bought this car, 

22 driven it for several years, put about 9,000 miles on it, 

23 never had a problem. I don't think there is any dispute 

24 about that, in a circumstances like that, could the car 

25 have bugs but yet never display them? 
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A Yes. 

Q in order for the bug to display itself, would the 
vehicle just have to meet and put itself in certain 
conditions that would bring that bug to the surface? 

A Yes. But let me just be clear that there is vehicle 
operating conditions and then there are software operating 
conditions. So you can think about the vehicle operating 
conditions is like whether you're accelerating, whether 
you're decelerating, whether you are pressing the brake, 
whether you are not pressing the brake, whether you have 
cruise control on, whether you don't. Those are all 
different examples of the vehicle being in different states. 

But also the software internally contains many 
thousands of variables, all of which can have different 
values at the moment. Think about that spreadsheet full of 
numbers that Dr. Koopman talked about. That is all going on 
at the same time. Essentially, all the possible values of 
those things represent different software states. 

So you have a very large -- measured in billions or 
trillions, or essentially an infinite space -- of software 
states, if you get yourself into one of those corners, then 
the bug can occur. And that might not be because of what 
you were doing with the car that day, it could simply be 
that the software got into that place. Then what is 
happening with the car layers on top of that, because maybe 
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you were going five miles an hour and versus going 50 miles 
an hour, then you might have a different outcome. 

Q You've mentioned, and Mr. ishii mentioned, that there 
is always bugs. As a software developer, somebody that 
analyzes embedded systems, is it reasonable for a 
manufacturer to try and put in safety features which try to 
take up for or anticipate what bugs may do? 

A Yes. 

Q And have you mentioned that here? 

A Yes. So the third thing that can happen is that if 

you're a software developer and you think, Oh, well, I'm 
worried about the possibility that someone will set the 
throttle angle to 150 percent -- and I don't know what that 
means, but that sounds bad, I don't want it more than 100 
percent. So you might think about that, so you put in a 
detections that says if it is ever more than 100 percent 
then do something safe. That can range from, depending on 
the situation, keeping it at 100 or saying, well, I don't 
know why it ever would have been more than 100, there must 
have been some serious problem and resetting the computer. 

But just because a company and its engineers think 
up 100 possible things that can go wrong, or a thousand 
possible things that can go wrong and implement a set of 
failsafes that they think will defend against them, there is 
two problems with that. The first is the failure of 
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imagination possibility, which is it didn't get on their 
list. They forgot that it was possible that tasks could 
die, for example. 

Another possibility is that failsafe itself has a 
bug in it, a hole in it, a gap. They think they have 
mirrored all the critical variables, made a second copy of 
them, but they haven't. Or they think they have a watchdog 
supervisor that detects task death, but it doesn't or 
doesn't always. So they can have gaps in their safety 
architecture. 

So a third thing that can go wrong is that one of 
those gaps is exposed in the safety architecture. And 
sometimes it takes all three of those happening at once in 
order for your car to malfunction or to malfunction in a 
dangerous way that you report. For example, it might begin 
with a hardware bit foot, and that might cause a bug and 
that might escape detection because they didn't think of 
that possibility. 

Q Are coding standards like we've talked about and 
heard from Dr. Koopman, for example MISRA, are those 
structures that manufacturers can use or rules that 
manufacturers can use to help reduce unforeseen gaps in 
their safety architecture? 

A Yes. well, no. Not specifically in their gaps in 
their safety architecture. They can help to keep bugs out. 
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1 Q And if you don't have bugs, then it helps to create 

2 -- you don't need as big a safety architecture? 

B A I wouldn't say that's true either. 

4 Q Okay, what would you say? 

5A I would say that following a coding standard like 

6 MISRA-C can help to reduce the number of bugs in your 

7 software. Doing what Dr. Koopman talked about, which is 

8 having a software process like MISRA software standard, the 

9 Fat Standard, or the ISO Standards, that is a way to make 

10 sure that there are no single points of failure in your 

11 system. And so even if you have a bug that you don't know 

12 is there, you always have a way that it will be safely 
IB handled. 

14 Q So in terms of creating a safe architecture, a safe 

15 system, can it be something that is an afterthought? 

16 A No. You have to design in safety. Safety has to be 

17 there from the beginning. I think Dr. Koopman said it 

18 really well. He talked about the Therac-25, which was a 

19 famous case that embedded software engineers studied where a 

20 medical device that was used in treating patients, actually 

21 was killing them by giving them too much radiation. 

22 And he talked about how Dr. Leveson at MIT who 

23 studied the subject she found that simply the developers 

24 would find a bug and fix it and think they had solved the 

25 problem, and then the next patient was given too much 
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radiation and they would find a bug and fix it. You cannot 
got down the path of find a bug and fix it. You have to 
design safety in. 

And that's also important because sometimes 
embedded systems can't be updated, can't be upgraded. For 
example, in this Toyota electronic throttle control, there 
are two processors. The main processor has the potential to 
be updated, have the software updated, when you're in the 
dealer. It is capable, anyway, the chip of doing that. 

But the second processor, the monitor CPU is burned 
in a factory, a million chips all alike, and those chips 
can't ever be changed. So if there is a flaw, you can't go 
in and fix that flaw, so you have to have a good design from 
the beginning, you know, separate fault containment regions, 
no single points of failure, and you should follow a 
software process, safety process, in order to achieve that. 

Q Let's look at our next slide. I think Dr. Koopman 
showed us this one as well. 

A Right. So the slide says two things. First of all, 
it says that NASA agrees that Toyota's electronic throttle 
control is a safety critical system. They add some other 
terms of art that I don't think we need to get into, hard 
realtime. Then this figure that Dr. Koopman had shown may 
make a little more sense now, so I will just briefly explain 
it. 
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On the right, we have the combustion controls, we 
have a throttle valve that is controlled through a motor. 

The motor is doing the job of turning the knob on that hot 
water, we also have the fuel injection, that is the 
squirting of the fuel into the cylinder, and then we have 
ignition coil, which is charged up and then at the 
appropriate time creates a spark. 

The ECM in pink is the circuit board that has the 
two processors on it. And there is some explanation of 
kinds of thing that it does, but it does a lot more than 
this. You can see that it is monitoring the accelerator 
pedal, it is making sure you car doesn't stall by setting 
the idle speed, which can be different depending on whether 
you have the heat and air conditioning on, things of that 
sort. 

The cruise control, the transmission shifting and 
various over functions are taking place in there if you have 
an automatic transmission. Then this is showing the inputs 
to that. So, for example, the accelerator pedal sensors and 
other vehicle sensors that are used in that process. 

Q All right. So is the significance of this slide that 
NASA has reached the conclusion that this throttle control 
system is a safety critical system? 

A I think that is an important point. Yea. 

Q Now, based on all the things that you have done and 
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the analysis that you have done in this case, have you 
reached some conclusions that you will talk to us about? 

A Yes. 

Q is that the next slide? 

A Yes, it is. 

Q All right. Let's start with the first one at the 

top. And tell us about your conclusion. 

A So the first main conclusion is that the 2005 Camry 
electronic throttle control, the software os of unreasonable 
quality. It contains bugs, but that's not the only reason 
it is of unreasonable quality. And it's otherwise defective 
for a number of reasons. This includes bugs that when put 
together with the defects can cause unintended acceleration. 

Q As we go forward are you going to explain to us how 
those problems that you found will cause an unintended 
acceleration? 

A Yes. 

Q Then you mentioned the code quality metrics, what do 
you mean about that? 

A So the code complexity and the McCabe Code Complexity 
is one of the measures of that. And the code complexity for 
Toyota's code is very high. There are a large number of 
functions that are overly complex. By the standard industry 
metrics some of them are untestable, meaning that it is so 
complicated a recipe that there is no way to develop a 
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reliable test suite or test methodology to test all the 
possible things that can happen in it. 

Some of them are even so complex that they are what 
is called unmaintainable, which means that if you go in to 
fix a bug or to make a change, you're likely to create a new 
bug in the process. Just because your car has the latest 
version of the firmware -- that is what we call embedded 
software -- doesn't mean it is safer necessarily than the 
older one. 

So the metrics that I see in the source code that I 
will talk more in specific with you about, they predict that 
there are many more bugs. 

Q Are you also going to tell us about a conclusion that 
we see on the board related to the fail safes? 

A Yes. And that conclusion is that the failsafes are 
inadequate. The failsafes that they have contain defects or 
gaps. But on the whole, the safety architecture is a house 
of cards. It is possible for a large percentage of the 
failsafes to be disabled at the same time that the throttle 
control is lost. 

Q And you make that statement, but in practical terms 
what does that mean? 

A That means that the random hardware fault that can 
occur from time to time, the software bug that is latent, 
lurking, witting to happen can on the right day and the 
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1 right conditions can get through or knock down the failsafes 

2 that are in place. 

3 Q All right. And the your last comment here. 

4A So ultimately my conclusion is that this Toyota 

5 electronic throttle control system is a cause of UA software 

6 malfunction in this electronic throttle module, can cause 

7 unintended acceleration. 

8 Q And I know we will get to it later, but ultimately 

9 you have a conclusion that it also was the cause of the 

10 wreck in this case? 

11 A I do. 

12 Q All right. And we mentioned it here, we mentioned it 

13 several times, unintended acceleration. Do you have a 

14 specific definition for that? 

15 A Yes. I have simply adopted the definition that was 

16 used by NHTSA and NASA, which I think is a reasonable 

17 definition, which is if the vehicle is experiencing any 

18 amount of acceleration that the driver didn't want or 

19 purposely caused. And that comes in different flavors, of 

20 course. It could be that the car suddenly accelerated away, 

21 but it can also be that the car continued to go at the same 

22 speed even though you let off the accelerator. So I've 

23 cited that definition here from the NHTSA report that was 

24 published in 2011. 

25 Q All right. Now, Mr. Arora, who is sitting right back 


***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



68 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


here, is Toyota's software expert. And you reviewed his 
work, correct? 

A Yes, I have. 

Q Does he also use NHTSA's definition for unintended 
acceleration? 

A No, he doesn't. 

Q All right. Let's go to the next slide and talk a 
little bit about NASA. 

A Before we go on, I just want to say that I also 
sometimes will refer to it as loss of throttle control. So 
if you lose the ability as a driver to control what is 
happening with that throttle valve, that is another way that 
I sometimes say unintended acceleration. You might see that 
on the slides, you might hear me say that. 

Q All right. Let's look at the next slide. Before we 

get into the details of the conclusions that you have here 
from the NASA report, NASA had a report, evaluated some 
vehicles, software and came up with conclusions, correct? 

A Correct. 

Q Have you essentially taken what they have done and 

built upon it? 

A Yes. 

Q Tell us what is significant about the portions here 

in this slide that you're showing us. 

A I was actually familiar with the NASA report and had 
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looked at it before I was ever engaged with these cases. 

One of the things that jumped out at me as an embedded 
software engineer reading the work of other embedded 
software engineers at NASA was that their ultimate 
conclusion was not from their analysis that a software bug 
or malfunctioning could not cause UA. 

They simply concluded that in the time they had 
they couldn't find the bug that caused UA, or a bug that 
caused UA. And, in fact, they sought a very narrow 
definition of UA. They thought -- they saw it, and they 
state this in the report -- only a bug that would open the 
throttle more than 25 degrees, not leave any, what are 
called diagnostic trouble codes behind as evidence later, 
and some other criteria. I'm not sure why they scoped it in 
that particular way. 

Q And we will talk about diagnostic trouble codes 
later, right? 

A That's correct. 

Q All right. This slide here, does it show some of 
NASA's scenarios that they postulated where a UA can occur? 

A Yes. 

Q Take us through it, please. 

A So NASA summarized, in particular on a table on page 
78 of their main report, a bunch of scenarios that they 
considered could cause UA. And they had ruled out a number 
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of them, but there are two rows left that they couldn't rule 
out. And that is what these paragraphs are about. 

The first row that they couldn't rule out is that 
the accelerator pedal has two sensors, redundant sensors. 

And the first one they couldn't rule our is if they both 
failed together, or were electrically entangled, became 
electrically entangled, then as a result there was no way 
for the system to detect that. 

So they worried, one, that that could cause UA. 

Then the second one they were worried about is what we will 
have talking about which is a systematic software 
malfunction in the main processor that is not detected by 
the monitor system, the monitor CPU. I think that is the 
main quote. 

Q Okay. So one of the proposed scenarios that NASA 
thought might could happen is that which you believe 
happened in this case? 

A Yes. 

Q All right, what else about this slide is important? 

A well, ultimately, you can see at the end there also 

NASA states clearly that just because they didn't find the 
bug, the proof, doesn't vindicate the system or say that the 
system is safe. NASA didn't say in their report that the 
system was safe. 

Q All right. And are you going to describe -- I think 
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1 in your next slide -- several of the defects that you found 

2 in Toyota's electronic throttle control system? 

3 A Yes. 

4 Q All right. Start at the top and describe them for 

5 us. 

6 A So we're going to be talking about these things in 

7 more detail. I want to kind of give you a preview of where 

8 we're going, if you will. So NASA falsely understood or 

9 misunderstood that all critical variables, or all critical 

10 values in that spreadsheet had a second copy, and that's not 

11 true. 

12 Q is that called mirroring? 

13 A That is mirroring. It can be called mirroring or 

14 echoing depending on precisely how you do it. But, 

15 generally, we can use the term mirroring. 

16 Q will we discuss that in more detail later? 

17 A we are. lust to be clear, what we found is that NASA 

18 had a misunderstanding here. There were actually critical 

19 values that were not mirrored. 

20 Q All right, what is next? 

21 A The other thing is that Dr. Koopman talked about how 

22 bit-flips can occur in the real world. There can be a one 

23 that becomes a zero or a zero that becomes a one, and this 

24 can happen inside integrated circuits or chips. And NASA 

25 was under the false belief that there was a protection 
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mechanism in there. Dr. Koopman gave an example of a parody 
bit, an extra bit of information, additional bits of 
information that were like a partial copy that indicated 
something was wrong. 

And that is also known as EDAC in NASA's report, 
E-D-A-C. It stands for error detective and correction 
codes. And so NASA didn't know that that wasn't there. It 
wasn't there in the 2005 Camry. And so if the bit-flip 
occurred, there would be no hardware mechanism to find it. 
And if it occurred in a critical value that was not 
mirrored, there would be no software protections against it. 

So the conclusion here is that there are critical 
variables in which bits could flip. Or there could be a 
software bug if you correct them. 

Q NASA, as part of their evaluation, looked 
specifically at the 2005 Camry, correct? 

A They did. 

Q And are you telling us that they were under the 
belief that the 2005 Camry had EDAC? 

A Yes. 

Q Does that make a difference in the analysis? 

A Yes. 

Q Does the 2005 Camry have EDAC? 

A No, it does not. 

Q How do you know that? 
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A we received additional information that NASA didn't 

have, we received information, a spreadsheet, that 
summarized -- it is one of the documents that I'm most 
familiar with this -- which is a spreadsheet that showed 
which vehicles, like Camry, which model years, like 2005, 
had hardware memory protection and which ones didn't. 

There was a sort of EDAC, not as much as NASA was 
talking about or NASA would employ in space, but there was 
one in the 2008 Camry, but there was not in the 2005 Camry. 
So later they put it in, but they didn't have it in the 
vehicle that NASA studied. 

Q And you're going to talk next about memory 
corruption? 

A Yes. So hardware bit-flip can occur. And NASA 
states that as well, and they were concerned about that, 
which is why they relied on the EDAC being there and the 
mirroring. But there were also bugs in Toyota's code that 
will have allow memory corruption to occur from a latent or 
just hanging around software bug from time to time. 

Q A hidden bug? 

A A hidden bug. That's right. One of those relates to 
stack overflow. NASA didn't realize that a stack overflow 
was a possibility, but our analysis shows that it is. And I 
will talk more about that. And also there are also software 
bugs. Now, NASA found bugs and said they found issues in 
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Toyota's code, but they didn't find the one or a one that 
opened the throttle 25 degrees and various other things. 

we found a set of bugs that specifically can cause 
memory corruption. So they're lurking there. And if they 
happen, then as a result of that, then the some critical 
variable could be -- could have a new value, for example, 
the throttle commend could become instead of opening 20 
percent opening 50 percent letting in a lot more air and 
giving the engine a lot more power. 

Q And you will discuss that in a lot of detail later 
right? 

A Yes. 

Q So is it, at least right now, memory corruption is a 
way that UA can occur? 

A That's correct. 

Q All right. And we're going to get into detail on 
these defects. But the thing that I wanted to ask you 
about, are these defects that you will discuss consistent 
with the opinions and testimony that Dr. Koopman gave us 
last week? 

A Yes. 

Q He talked to us about the process and rules and that 
sort of thing on how to create a safe system. Does your 
analysis for this case go deeper than what Dr. Koopman's 
did? 
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1 A Yes. So Dr. Koopman was not able to see the source 

2 code, and so Dr. Koopman's analysis focuses on the science 

3 that underpins designing safe systems, that standards that 

4 are available to carmakers for making their car safe, 

5 whereas I support that by examining the source code and 

6 finding that those things weren't done. 

7 Q So where he couldn't tell us whether those problems 

8 that he saw caused Ms. Bookout's unintended acceleration, 

9 you're able to go into that detail analysis because of your 

10 review of the source code? 

11 A That's correct. 

12 Q All right. Let's go to the next slide? 

13 A So the ultimate conclusion from the presence of these 

14 defects is that the software could malfunction. And the 

15 most dangerous such malfunction would be if the car had a 

16 portion of its software that was working, and that part was 

17 running the combustion feeding air and fuel and spark to the 

18 engine at the same time that the part that the driver was 

19 interacting with through the accelerator pedal or the cruise 

20 control switches was not listening to the driver because it 

21 crashed or hung, like one application might crash on your 

22 desktop while another one is still running. 

23 Q And are the defects that you're describing here that 

24 can cause an unintended acceleration, can that occur when 

25 the cruise control is on? 
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A Yes. 

Q Can it occur when the cruise control is off? 

A Yes. 

Q And it is the same software defects that would relate 
to both? 

A Yes. 

Q Let's go to the next slide. You're talking about the 

software malfunctions here? 

A Yes. This just uses an analogy and makes the point 

that, of course, software malfunctions. And we see it all 
the time in our daily lives whether it your laptop or your 
desktop, sometimes you have to reboot things, restart 
applications, et cetera. 

It is a fact of life that software developers are 
well aware of, or should be well aware of that software 
malfunctions can occur. I don't know if you ever had the 
experience where is one app on your Smart phone is not 
working and the others are. And we all know, we are trained 
to reboot it. Just reboot it. Oh, you didn't get my phone 
call? well, maybe your phone is not taking calls right now 
because of a software bug. That can happen in an iphone or 
an android. Even though your might be able to make outgoing 
calls, if one part of the software is not working, the rest 
is. So you reboot it and suddenly everything is fine. 

The 2005 Camry has apps. They don't call them 
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apps, they call them tasks. And so there are ^ tasks 
inside the engine. As an example, there is one task whose 
job it is to keep track of how fast the car is going. That 
is important, obviously, if you will have a cruise control 
feature because a cruise control needs to know not only what 
speed you would like it to be but what speed it really is. 

Q Let me stop you right there. 

MR. BAKER: Your Honor, my next question is going 
to involve some source code. So at Toyota's request, I 
think we need to clear the folks out of the courtroom again. 

THE COURT: is this going to be periodically, or is 
this the only time? 

MR. BAKER: I hope this is the only time. 

THE COURT: if not, I will just exclude everybody 
from this point on. You think this may be the only time? 

MR. BAKER: I will transition into our nicknames 
for it so we don't have to do it anymore. 

MR. BIBB: I think there is one other area that I 
noticed, but it is a long way from here in this slide show. 

THE COURT: Again, if you do not have source code 
access, please exit the courtroom. 

(whereupon, the courtroom complies.) 

THE COURT: You may proceed, Mr. Baker. 

MR. BAKER: Thank you, your Honor. 

Q (By Mr. Baker) You're talking about ^ tasks that 
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1 run this system, correct? 

2 A Correct. 

3 Q All right. Earlier we heard some testimony from Mr. 

4 Osawa, and he mentioned a couple terms that I believe are 

5 tasks names, and I want to ask you about those. He 

6 mentioned is that a name for one of these ^ tasks? 

7 A It i s. 

8 Q He also mentioned is that also the name of a 

9 task? 

10 A It is. 

11 Q All right. And in terms of do any of those 

12 characters have specific meaning to you or a programmer who 

13 is looking at this? 

14 A Yes. in Toyota's design, there were ^ tasks. And 

15 some of those tasks did things on a time basis. There were 

16 three of them, in fact. One of them that did something 

17 every millisecond, one of them that did a lot of stuff 

18 every milliseconds; and that's this one, and 

19 another one that did a lot of stuff, again, every g|| 

20 milliseconds. And those are known as the millisecond 

and | millisecond 

22 tasks. 

23 Those are the only tasks that were named quite like 

24 that. Most of the other tasks related to moving the 

25 combustion process at a certain speed that varied depending 
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1 on the engine speed, so it wasn't time based. And also 

2 there were some asynchronous things that happened separate 

3 from the engine speed, separate from the time, amount of 

4 time. 

5 Q And these two terms that we have specifically 

6 referenced here, are those source code terms to which Toyota 

7 has claimed are confidential and they don't want the public 

8 to hear those characters? 

9 A Yes. if you were to look at my report there, you 

10 would see every time I said it is blacked out. Every 

11 time I said it is blacked out. And other similar 

12 things are blacked out, and the same is true with the 

13 deposition transcripts from my testimony. 

14 Q And so for these ^ tasks that you referenced here, 

15 each one has a name like this similar? 

16 A well, as I said, there is only the three that have 

17 time-based names. 

18 Q in terms of our case here, are we going to talk a lot 

19 about ^^|? 

20 A we are. 

21 Q in order to avoid having to clear the courtroom every 

22 time we talk about it, do you generally talk about in your 

23 work as task X? 

24 A I do. I call it task X, letter X. 

25 Q So whenever we say task X, you're referring to this 
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specific task? 

A That's correct. 

Q For that specific task, can you tell us what 
particular functions that task has to perform? 

A I can't, because it is a very extensive list. I 
actually also refer to this tasks as the kitchen-sink task, 
because it does so much in the system. But importantly, for 
our purposes, it does throttle control; that is it selects 
the next throttle percentage, whether it should be 100 
percent, 50 percent, 20 percent. And it does that based on 
looking at the accelerator pedal position, whether the 
cruise it on. 

It executes also the cruise control code, so it is 
responsible both for turning on cruise control, maintaining 
speed of cruise control, and turning off cruise control. 

It also is responsible for many of the fail safes on the main 
CPU. we will talk more about that as well. 

Q we also mentioned DTC. what do those stand for? 

A DTC stands for diagnostic trouble codes. And most of 
those also are either in the millisecond task, task X, 

or they are -- they require its help in order to be 
recorded. These are codes that are recorded in your -- if 
you have ever taken your car to the dealer because the 
check-engine light was on and they read the computer and 
they told you that you have a back oxygen sensor or 
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something like that, that is an example of a diagnostic 
trouble code. Many of them indicate there is a problem with 
a sensor or a that there is a problems with some other 
engine component. 

Q And in your Camry, is it this task X that has the job 
to either set or help set diagnostic trouble codes in the 
car computer, at least associated with what we will be 
talking about? 

A Yes. I won't say all of them, but most of them, the 
vast majority of them, will not be recorded unless that task 
X is doing all its job. 

Q You have gone through all these things, you told us 
this task has control over or performs, is it unusual for a 
single task to have so many tasks within it? 

A Yes. It is not a good software architecture. 

Q why is that? 

A in particular, combining the part of the system that 
does the calculation of the throttle angle with the 
fail safes and trouble codes is a well-known bad design. 

There is a pattern that people usually follow where you have 
a controller and you have a monitor. And so even within the 
software, it should have been architected so that the 
control of the throttle was separate from the fail safes 
related to the throttle and sensors that inputs them. 

Q Let me ask about that then. The jury heard testimony 
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1 about a brake override system. Are you familiar with that? 

2 A Yes. 

3 Q Wherein the accelerator is in certain condition, if 

4 you press the brake it will automatically cut the throttle. 

5 Are you familiar with that? 

6a I am. There is not one in the 2005 Camry, to be 

7 clear. 

8 Q Right. Do you have an understanding of the system 

9 that Toyota has since used? 

10 A Yes. I reviewed the one that they put into the 2010 

11 Camry. 

12 Q where is the function for that brake override? where 

13 is the task located, as you understand it? 

14 A Yes. So the brake override that is supposed to save 

15 the day when there is an unintended acceleration is in task 

16 X, of course, because it is the kitchen sink. 

17 Q All right. And we will later in more detail about 

18 task death where a task just stops running, correct? 

19 A Yes. 

20 Q And I think your focus is going to be in on the death 

21 of task X? 

22 A That's correct. I don't think I will need to name 

23 any of the other tasks in order to talk about the rest. 

24 Q Just to followup your example on brake override 

25 systems, if Toyota's system were used, and task X died and 
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caused a UA, would brake override work? 

A No. 

Q why not? 

A Because you have software watching the software. So 
if the software malfunctions and the same program or same 
app that is crashed, is supposed to save the day, it can't 
save the day because it is not working. 

Q How would you fix that? 

A well, the right way to design a brake override, in my 
opinion, is to have it on an external chip. It is not just 
my opinion, it is also in a standard called EGAS (phonetic) 
for automotive makers. And in that design, you have a 
separate chip that looks at whether the driver is braking 
and whether the throttle is open. Does it make sense that 
you're braking but you are having to fight the throttle 
because it is open 50 percent or 100 percent? 

It would be relatively simple, and I will have 
explain later how Toyota could have done this back in 2002 
without any extra cost to the vehicle, that if you were 
braking and the throttle was stuck that there must be 
something wrong with the main CPU and it can reset. A car 
traveling at 60 miles an hour, a Toyota 2005 Camry traveling 
at 60 miles an hour, can reset its computer in about 11 
feet. 

So it's okay to reset the computer in order to 
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solve the problem. And that would, just like resetting your 
iphone, solve the problem. And Toyota had the means and 
could have done that, but they didn't do that in the 2005 
Camry. Even in the 2010 Camry, when they were responding to 
the NHTSA problems and investigations, what they did was 
software watching software. They didn't put a separate chip 
or have a proper brake throttle override. 

Q Have you covered everything on this slide that you 
want to talk about? I have a question if we have. 

A There is one thing that I want to talk about. I 
wrote there all of these tasks are meant to be running 
always. So I talked about task death a little bit, the idea 
that one app crashes, right? 

So what if you're driving down the road and you 
only now have ^ of these tasks working but your car seems 
to be operating normal? is that a good thing? No. Let's 
say that there are ^ tasks, each had assigned to it one 
programmer at Toyota or Denso. It is as if though one of 
them, you're not benefitting from the work of that m| 
engineer that day while you're driving down the road until 
you restart your car. It may cause a malfunction that is 
dangerous. It may cause a minor malfunction that you don't 
even notice. Then when you restart the car, it goes back to 
being a car. 

Q Let's talk a little bit about the operating system we 
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discussed earlier. Tell us -- I know you have your graphics 
here. The task that you just mentioned, would those be the 
tasks that we see at the top here? 

A Yes. I've illustrated those. I just call them task 
1 to N. Of course, N would be ^ in this case for this 
particular vehicle. The point of the slide is two things: 
First of all, to tell you that Toyota had an operating 
system in its cars, in its engines. And the other thing is 
for me to explain what an operating system is. You're 
obviously not running Windows in your engine, if you were, 
it wouldn't be able to reboot in 11 feet at 60 miles an 
hour. 

So you are running a much smaller simple operating 
system, in this case, in this vehicle, it is called OSEK, 
O-S-E-K. And that operating system has a couple of jobs. 

One of those jobs is to provide helper recipes that all of 
the tasks need. The other job, which is critically 
important to the system, is it picks and chooses which task 
gets to sue the processor at any given moment. 

There is only one processor, one main CPU. You 
have ^ apps running on it. So the operating system 
performs a bit of magic where it time slices and selects, 

Oh, task 3 for a while, task 4 for a while, task X for a 
while, task 24 for a while, task 2 for a while. And that 
selection process is really the main job really of the 
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operating system. 

And I wrote up here that inside the operating 
system it keeps what are called critical data structures. 

And what I mean by that is since the operating system's job 
is to keep track of all of this, it is like a taxi cab 
dispatcher sending out calls; it needs to keep track of its 
charges, its tasks. So I think it is useful to think about 
the operating system as being a person with a set of 
three-by-five cards. 

On each three-by-five is written the task name or 
number, task one, and some notes about it like, Hasn't run 
yet, or hasn't run in a while, needs to run. Or task X 
currently using the processor. So -- and the operating 
system does its job. I have actually written an operating 
system and written about it in my first book and studied 
operating systems. 

inside it it is basically doing that data-keeping 
function, and so it is doing something like, well, this is 
the three-by-five card I have on a pedestal of the task that 
is currently running. And this is a group of them that I 
sorted by importance that need to use the processor when it 
gets a chance. And then these over here, they don't need to 
run for a while because it hasn't yet been eight 
milliseconds since the last time it started. 

So the operating system is shuffling these data 
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1 structures around, these three-by-five cards. And if in the 

2 process the cards get mixed up, or some of the notes on the 

3 cards become corrupted, then bad things can happen to the 

4 apps that are running on top, the tasks that are running on 

5 top. 

6 Q And as we go through this process, are you going to 

7 describe for us defects in the operating system? 

8 A Yes. 

9 Q is the operating system an important part of the 

10 design of Toyota's ETCS, throttle control system? 

11 A It is an extremely important part. It is like the 

12 columns that hold up a building in an architecture. So the 

13 choice of what kind of operating system to use, and the 

14 choice of how that operating system is structured is 

15 critically important to the integrity of the system. Yes. 

16 Q We talked earlier about you have reviewed 2002 to 

17 2010 vehicles that included Camrys, the Lexus ES and the 

18 Tacoma, within that time frame, are there certain of those 

19 vehicles that all use the same operating system that Ms. 

20 Bookout's vehicle used? 

21 A Yes. Many of them used the OSEK operating system. 

22 Many of them used the same exact version of the OSEK 

23 operating system which means exactly the same source code 

24 and ultimately the same machine code. And then others that 

25 used OSEK used a version number of one or two versions off 
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that are substantially similar from that point of view. 

Q Here in your report that you did, did you do a 
chapter on operating systems? 

A Yes. The first chapter is on the operating systems. 

Q Did you provide a chart which shows which vehicles 

will contain the same operating system as Ms. Bookout's 
Camry? 

A Yes. 

Q Lets's go to the next slide. 

A Don't worry. I don't expect you to understand 

everything that is on here. 

Q You and I have looked at it before and I still don't 
understand. 

A And you don't need to. This is just a representation 
of what we found with respect to those data structures, 
those three-by-five cards. So this is just a depiction of 
what we found inside the operating system when we looked at 
it to see how it kept track of which tasks needed to use the 
CPU and which ones and which ones were eager to do so, and 
which ones were using it. 

And it has this three-tier structure that is 
actually the same between the two different ones called 
Itron and one called OSEK operating systems that Toyota has 
used in these electronic throttle vehicles. But you can 
think of these as three-by-five cards about a task, and this 

***** T HIS TRANSCRIPT HAS NOT BEEN PROOFREAD ***** 



89 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


would -- I was going to say you can think of it as the notes 
on a three-by-five card, but my analogy would break there. 

So this is actually a sort of scoreboard, if you 
like, that keeps track of what importance the various things 
are that need to be done. 

Q is there defects in this operating system that you 
believe relate to unintended acceleration? 

A Yes. 

Q Take a look at the next slide. 

A So it turns out that Toyota didn't look at this 
operating system. And inside this operating system when we 
looked, we found that these critical data structures aren't 
protected in any way. 

Not only is there not a hardware protection against 
hardware random faults, but there is also no protection 
against either hardware faults or software faults, software 
bugs, causing corruption of this data inside the operating 
system. So you can actually see that this particular bit 
here that I flipped on the drawing from a one, which it used 

to be, to a zero, that will actually have the effect, a 

bit-flip there, will have the effect of killing one of the 
tasks. 

And now that task -- depends on how the corruption 
happens, actually -- but one thing that can happen is that 
task will never run again until you reboot the car, which 
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generally speaking is it is taking the key and turning it 
off and turning it back on. if you have a push-button 
start, you actually have to get out of the car with your key 
on a remote before it will actually reset the processor. 

Q is that top line talking about a bit-flip where Dr. 
Koopman was talking about bit-flips but he was talking about 
from outside rays doing that? 

A That is one way it can occur. Another way it can 
occur is by a software bug. And the software bug could be 
inside the operating system or outside the operating system. 
And it could affect more than one bit at a time. A hardware 
bit-flips that Dr. Koopman talked about and that NASA talks 
about are often called single event effects or single event 
upsets. And very often they effect just one bit. 

But a software bug, of course, can corrupt a whole 
area of the memory or one bit or a collection of bits. And 
any corruption that occurs in here has the potential to kill 
one or more tasks, either temporarily or permanently. 

Q You mentioned early EDAC. Does EDAC come into play 
if it existed with some of the things that your are 
describing here? 

A It does and it doesn't, if there was EDAC, remember 
is like the parody bits, those hardware memory protections, 
if there was that, then we wouldn't have to worry -- might 
not have to, depending on how it is designed -- worry about 
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those single event electronic effects, EMI or Alpha particle 
strikes like Dr. Koopman talked about. 

However, if there was EDAC, this could still be 
corrupted by a software bug. So EDAC alone is not the 
answer here. 

Q And these things you're telling us can happen, how do 
you know that? 

A I know that because we simulated it in the code room 
using the Green Hill simulator that Toyota used. And we 
also simulated it in the vehicle, in multiple vehicles, 
Camrys. 

MR. BAKER: Your Honor, I know we're a little bit 
early, but we are about to transition into something that 
will take longer. 

THE COURT: we will take our lunch break now. 

Ladies and gentlemen, it is 11:45. we are in recess for an 
hour and 15 minutes or until 1:00. 

I would remind you: During the recess, do not 
discuss the case, and do not begin to form any opinions 
about the case. 

All rise while the jury exits. 

(whereupon, the jury exits the courtroom.) 

THE COURT: we're on the record, we're outside the 
presence of the jury, we're discussing the proposed 
deposition of Mr. Takimoto. The defendants have objected, 
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Toyota has objected to the entries on page 169 and going 
through 171, line 19. The court is going to overrule the 
specific objection that was just raised by Toyota. And, 
again, the court would note that Toyota is reserving its -- 
and I'm preserving for the record all the previous 
objections that have been made with regard to this that the 
court has ruled on previously. 

MR. BAKER: And there are other objections in here, 
your Honor, we're not necessarily agreeing to them, but to 
the extent that you have already issued prior rulings about 
testimony, we're removing the contested language. 

THE COURT: Again, preserving whether that should 
or should not be there but in compliance with my previous 
orders. 

MR. BAKER: Yes, ma'am. 

THE COURT: Okay. All right. The court is 
admitting Court's Exhibit No. 7, the deposition testimony of 
Star Caudle. And for the record, the court would indicate 
those items highlighted in here in red are the designations 
by plaintiff, and the ones highlighted in yellow were the 
counterdesignations by the defendant. That is what was 
actually read to the jury, just those unlined in red or 
highlighted in yellow. 

Then, lastly, those highlighted in the blue marker 
are defendants' objections that the court has ruled on 
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earlier throughout the course of the trial. 

MR. CLARK: And we're preserving all of our 
objections. 

THE COURT: Yes. 

(Conclusion of morning trial proceedings.) 
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